More than 100 malicious Chrome extensions have been discovered stealing user data, injecting ads, and creating backdoor access to users’ browsers, according to cybersecurity researchers. The large-scale campaign highlights growing risks associated with seemingly harmless browser add-ons available on official platforms.
The investigation, conducted by security firm Socket, identified 108 extensions that collectively affected over 20,000 users. These extensions were distributed through five different developer accounts—GameGen, InterAlt, SideGames, Rodeo Games, and Yana Project—but were linked through a shared command-and-control infrastructure, indicating a coordinated operation.
A significant portion of these extensions was designed to steal sensitive user information. Around half of them targeted Google accounts by capturing OAuth2 tokens and extracting user identity details such as email, name, and profile data. Others focused on hijacking Telegram sessions, allowing attackers to take control of user accounts by manipulating browser storage and reloading sessions.
In addition to data theft, 45 of the extensions were found to contain a universal backdoor mechanism. This feature enables attackers to open arbitrary URLs in a user’s browser whenever it starts, without any user interaction. Researchers noted that this backdoor operates independently and can be triggered remotely, making it particularly dangerous as it persists even if the extension is not actively used.
The malicious extensions were disguised as common tools such as Telegram clients, gaming applications, YouTube and TikTok enhancers, translation tools, and utility extensions. While they appeared to function normally to avoid suspicion, hidden scripts connected to remote servers to carry out unauthorized activities, including ad injection and data exfiltration across all visited web pages.
Despite being reported by researchers, the extensions were not immediately removed from the Chrome Web Store at the time of discovery. The incident underscores the limitations of existing security checks and highlights the need for users to carefully review permissions and regularly audit installed extensions to reduce exposure to such threats.
